[Tolas]

Ok, I've used vpn to check right away... I got impatient
I found exactly what you said birz !
I've loaded the software hive and cleaned it up, also deleted the tmp file (the faulty hdd was already in a pc as slave).

I'll rebot it tomorrow when I get there, hopefully everything will work

I will keep you posted

[Tolas]

It works fine when I boot !
That definetly was the solution, thanks everyone.

[forstera]

Hello all,

Thanks for the informations, I get the same error on a XP computer. So, I branched my HDD to another pc to reach it but now, as the filename changes for every case, I dont know how to delete the right one or howto modify the registry .... I found the \system32\software file but not possible to modify it directly.. so any help is very welcome.

Thanks for your help

[Tolas]

Start > Run > Regedit

Then go HKLM, click on File > Load Hive
Browse to your slave disk to c:\windows\system32\config\software.
It'll ask for a name for it, you can call it test or whatever you want.

From there go to (...)Microsoft>WindowsNT>Current Version>Drivers32

And you should find the key that does not belong there (check what Birz explained earlier). Delete the key, and the file (should be located on c:\windows\****.tmp)

Unload the hive.
Reboot with only your faulty disk in your system, and it should boot fine again.

[forstera]

Thanks very much for the info. So I did wath you said but I've no key named midi9 on ..\Current Version\Drivers32

I looked inside the^'folder' to see if I had something looking like Birz described but nothing... Could it be in another place ?

thanks

[birz]

Now Forefront detects it, here is the confirmation from the MMPC:

Thank you for your submission. Analysis of the file(s) in your submission (35925195) is now complete and this is the final email that you will receive regarding this submission.
The Microsoft Malware Protection Center (MMPC) has investigated the following file(s) which we received on 10/15/2009 12:13:30 PM Pacific Time.
If you were to scan the files you submitted using Microsoft's Forefront Client Security product, you would see relevant detection information similar to what is displayed below.
The detection results for the file(s) in your submission are as follows:
The report for your submission can be found here: http://AVSubmit/AVSubmitAnalysisView.aspx?SubmissionId=35925195.
Submitted Files
=============================================
vnxmc.zip [Container]
+---vnxmc.dat [Trojan:Win32/Daonol.G]
The following links contain more information regarding the detections listed above:
http://go.microsoft.com/fwlink/?linkid=95666&Entry.aspx&name=Trojan:Win32/Daonol.G

[spirou]

Thanks birz, youre toooo strong

[beware]

So we had two pcs come into our shop today with the same issue. Neither of them have the infected registry key. A 3rd pc came in but kept rebooting at the xp logo screen. I performed a repair with the xp disk, now im getting access denied to everything when hes a local admin.

For the other two pcs, I am scratching my head trying to figure out what to do next. As soon as you choose safe mode or last known good config, it reboots at mup.sys.

This just started happening to both customers yesterday.

[forstera]

So, I made a restore using the XP cd and I can boot but ...
I connect the HD to another computer and run a Kapserky analysis without having found anything. So, I connected it again to its PC and started it. Then I saw that the PC was only on SP2 so I tried to make a windows update but there ixplorer crashed (surfing is working). So I downloder the sp3 from another computer and tried to copy it with a USB key... impossible, everytime system says that file is corrupt (which is not the case). So, I stopped the computer again and connect the HD to my other system. Then, I copied the SP3 to the disk (without any problem), connect the HD to its system and started it again. Finally, I tried to launch the SP3 but after having uncompressed all the files, application hangs. So, I'm sure there's a virus or malware but impossible to find it with Kaspersky, Malware, etc... so dont know what to do. ...

[Angrykirill]

Quote:

Originally Posted by birz

it is indeed a Virus.

the infected registry key is the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
"midi9"="C:\\WINDOWS\\system32\\..\\bibcfbk.tmp 0yAAAAAAAA"

Although in this example the file name is "bibcfbk.tmp" it changes from computer to computer.

Deleting this registry key solves the problem, you can also delete the file itself from the system32 folder. I have informed Microsft of this threat and they'll call me in 5 minutes to talk to the security team.

I hope this information helps you out. Maybe the virus does something else but at least for now we're able to bring those PC back to life. I'll keep you posted.

Thanks,

I've tried to delete the following file from the recovery console, but it did not find such a file. Perhaps I am doing the command wrong, I wrote:
del C:\\WINDOWS\\system32\\..\\bibcfbk.tmp
I have also tried with a single \ and with adding 0yAAAAAAAA at the end.

Can anyone post the precise command required? Or the command that deletes the regkey rather than the file location?

[Angrykirill]

Wow!

I restarted to check and it seems that it worked the trick somehow, at least I am back to the blue windows login screen, and it allowed me to get into my user account. However I cannot see any icons of any kind, and when I bring on the ctrlaltdel console it cannot find explorer.exe

[ackbar]

For those that didnt find any infection this may help.

FIXED. Ok so i went through the steps above and went through my registry as indicated but didn't find any of the files specified. So, i decided to go through and uninstall the latest patches one at a tine. In my case i found that kb971486 was the culprit. I had to uninstall this from the recovery console.

boot off your windows xp cd
press r for recovery console
select your windows install (1 in my case)
enter your administrator password

when at the c:\windows prompt enter:
cd $ntuninstallkb971486$
cd spuninst
batch spuninst.txt

it will run some commands

exit

reboot

problem fixed

windows xp Media Center sp3 HP pavilion dz8000

[iamgap]

Quote:

Originally Posted by ackbar

For those that didnt find any infection this may help.

FIXED. Ok so i went through the steps above and went through my registry as indicated but didn't find any of the files specified. So, i decided to go through and uninstall the latest patches one at a tine. In my case i found that kb971486 was the culprit. I had to uninstall this from the recovery console.

boot off your windows xp cd
press r for recovery console
select your windows install (1 in my case)
enter your administrator password

when at the c:\windows prompt enter:
cd $ntuninstallkb971486$
cd spuninst
batch spuninst.txt

it will run some commands

exit

reboot

problem fixed

windows xp Media Center sp3 HP pavilion dz8000

ackbar,

I joined this site just to say that you are AWESOME!!

The Youth Leader for our church just had this bad patch break her computer. I came up to the church to prepare slides for Sunday's service, and she asked me to look at it. Had it not been for your post, I would have been up for hours (and really tired for my trip to see Toby MAC tomorrow) rebuilding her PC.

Thanks again!!!


gap

[yman]

ackbar,

I must agree with iamgap. You saved me so much time and I can't thank you enough! I gotta add that this site is awesome! Thanks to everyone who posted on this subject.

[hamboorjer]

Hello! I too have this problem with the endless reboot cycle. I was installing the latest Microsoft update the night it was available. Somehow, my computer turned off, and it wouldn't boot up the next morning. The screen that comes up says that the computer didn't shut down normally, and there are five choices (I don't know what this screen is called): Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt, Last Known Good Config, or Start Windows Normally. I cannot get any of these selections to work. It only shows the BSOD and then restarts.

I see that people have resolved the issue using the Recovery Console from the XP CD. I do not have this CD, but I can get it to load by pressing F10 during startup. The only problem is that the System Restore selection is grayed out and the only available option is to restore the computer to the original factory settings. Does that mean that even with the XP CD, I won't be able to restore it? Where can I get one of these CDs...is it downloadable?

Sorry for sounding like this, but I'm pretty much a beginner when it comes to computers (the only reason I know so much is from posters like you guys...had to come and search for this problem on this forum because I know how intelligent you guys are haha). Please help me, and thank you in advance!!